[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: config_back_db_open and "cannot assess the validity of the ACL scope" in openldap-devel

Gavin Henry wrote:
Hi all,

Just playing in openldap-devel, with the next step being mirrormode, and
get this warning when running slapd with debug on:

    config_back_db_open: line 0: warning: cannot assess the validity of
the ACL scope within backend naming context

So is this a seperate assessment outwith the normal syntax one?

I don't quite understand the warning.
That's quite informative, and issued at a very verbose log level. Basically, the ACL parsing code checks whether a rule will actually be used with the scope it can potentially apply to. For example, if you place a rule

access to dn.subtree="" by * read

within a database with suffix "dc=example,dc=com", the rule might potentially apply to any DN, but since it's placed within a database with a non-empty suffix, it will only apply to dn.subtree="dc=example,dc=com". So the ACL designer might be fooled into believing that it will apply to any entry while it won't. This doesn't mean that the ACL is wrong: it will do what's intended for; that's why the warning is informative. In some cases, the ACL parsing code cannot determine the scope of a rule (for example, when regular expressions are involved); this causes the specific warning you see. If you understood the ACL syntax and you believe your ACLs are correct, you can safely ignore that warning.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it